2015-12-31 18:50:25 +01:00
#!/bin/bash
2020-03-23 08:20:46 +01:00
# shellcheck source=functions.sh
2017-11-24 01:50:50 +01:00
source /app/functions.sh
2020-12-29 14:09:03 +01:00
CERTS_UPDATE_INTERVAL="${CERTS_UPDATE_INTERVAL:-3600}"
2020-10-13 21:21:37 +02:00
ACME_CA_URI="${ACME_CA_URI:-"https://acme-v02.api.letsencrypt.org/directory"}"
2020-10-12 15:43:39 +02:00
ACME_CA_TEST_URI="https://acme-staging-v02.api.letsencrypt.org/directory"
2018-12-31 12:53:21 +01:00
DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
RENEW_PRIVATE_KEYS="$(lc "${RENEW_PRIVATE_KEYS:-true}")"
2016-01-01 14:32:40 +01:00
2020-10-20 10:43:33 +02:00
# Backward compatibility environment variable
REUSE_PRIVATE_KEYS="$(lc "${REUSE_PRIVATE_KEYS:-false}")"
2018-02-08 23:57:50 +01:00
function create_link {
2018-03-16 18:23:43 +01:00
local -r source=${1?missing source argument}
local -r target=${2?missing target argument}
if [[ -f "$target" ]] && [[ "$(readlink "$target")" == "$source" ]]; then
2018-12-14 15:01:27 +01:00
set_ownership_and_permissions "$target"
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "$target already linked to $source"
2018-03-16 18:23:43 +01:00
return 1
else
2018-12-14 15:01:27 +01:00
ln -sf "$source" "$target" \
&& set_ownership_and_permissions "$target"
2018-03-16 18:23:43 +01:00
fi
2016-01-07 16:29:18 +01:00
}
2018-02-08 23:57:50 +01:00
function create_links {
2017-11-22 00:19:14 +01:00
local -r base_domain=${1?missing base_domain argument}
local -r domain=${2?missing base_domain argument}
2016-01-07 16:29:18 +01:00
2018-03-16 18:23:43 +01:00
if [[ ! -f "/etc/nginx/certs/$base_domain/fullchain.pem" || \
! -f "/etc/nginx/certs/$base_domain/key.pem" ]]; then
2016-01-07 16:29:18 +01:00
return 1
fi
local return_code=1
2018-03-16 18:23:43 +01:00
create_link "./$base_domain/fullchain.pem" "/etc/nginx/certs/$domain.crt"
2020-03-23 08:20:46 +01:00
return_code=$(( return_code & $? ))
2018-03-16 18:23:43 +01:00
create_link "./$base_domain/key.pem" "/etc/nginx/certs/$domain.key"
2020-03-23 08:20:46 +01:00
return_code=$(( return_code & $? ))
2016-01-07 16:29:18 +01:00
if [[ -f "/etc/nginx/certs/dhparam.pem" ]]; then
2018-03-16 18:23:43 +01:00
create_link ./dhparam.pem "/etc/nginx/certs/$domain.dhparam.pem"
2020-03-23 08:20:46 +01:00
return_code=$(( return_code & $? ))
2016-01-07 16:29:18 +01:00
fi
2018-03-16 18:23:43 +01:00
if [[ -f "/etc/nginx/certs/$base_domain/chain.pem" ]]; then
create_link "./$base_domain/chain.pem" "/etc/nginx/certs/$domain.chain.pem"
2020-03-23 08:20:46 +01:00
return_code=$(( return_code & $? ))
2016-12-30 18:11:06 +01:00
fi
2016-01-07 16:29:18 +01:00
return $return_code
}
2018-01-05 18:25:19 +01:00
function cleanup_links {
2018-06-25 11:16:53 +02:00
local -a LETSENCRYPT_CONTAINERS
local -a LETSENCRYPT_STANDALONE_CERTS
2018-01-05 18:25:19 +01:00
local -a ENABLED_DOMAINS
local -a SYMLINKED_DOMAINS
local -a DISABLED_DOMAINS
# Create an array containing domains for which a
# symlinked private key exists in /etc/nginx/certs.
for symlinked_domain in /etc/nginx/certs/*.crt; do
2018-08-12 22:56:06 +02:00
[[ -L "$symlinked_domain" ]] || continue
2018-01-05 18:25:19 +01:00
symlinked_domain="${symlinked_domain##*/}"
symlinked_domain="${symlinked_domain%*.crt}"
SYMLINKED_DOMAINS+=("$symlinked_domain")
done
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Symlinked domains: ${SYMLINKED_DOMAINS[*]}"
2018-01-05 18:25:19 +01:00
# Create an array containing domains that are considered
2018-06-25 11:16:53 +02:00
# enabled (ie present on /app/letsencrypt_service_data or /app/letsencrypt_user_data).
[[ -f /app/letsencrypt_service_data ]] && source /app/letsencrypt_service_data
[[ -f /app/letsencrypt_user_data ]] && source /app/letsencrypt_user_data
LETSENCRYPT_CONTAINERS+=( "${LETSENCRYPT_STANDALONE_CERTS[@]}" )
2018-01-05 18:25:19 +01:00
for cid in "${LETSENCRYPT_CONTAINERS[@]}"; do
2020-12-07 00:56:09 +01:00
local -n hosts_array="LETSENCRYPT_${cid}_HOST"
for domain in "${hosts_array[@]}"; do
2018-01-05 18:25:19 +01:00
# Add domain to the array storing currently enabled domains.
ENABLED_DOMAINS+=("$domain")
done
done
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Enabled domains: ${ENABLED_DOMAINS[*]}"
2018-01-05 18:25:19 +01:00
# Create an array containing only domains for which a symlinked private key exists
# in /etc/nginx/certs but that no longer have a corresponding LETSENCRYPT_HOST set
2018-06-25 11:16:53 +02:00
# on an active container or on /app/letsencrypt_user_data
2018-01-05 18:25:19 +01:00
if [[ ${#SYMLINKED_DOMAINS[@]} -gt 0 ]]; then
mapfile -t DISABLED_DOMAINS < <(echo "${SYMLINKED_DOMAINS[@]}" \
"${ENABLED_DOMAINS[@]}" \
"${ENABLED_DOMAINS[@]}" \
| tr ' ' '\n' | sort | uniq -u)
fi
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Disabled domains: ${DISABLED_DOMAINS[*]}"
2018-01-05 18:25:19 +01:00
2018-05-26 17:18:59 +02:00
2018-01-05 18:25:19 +01:00
# Remove disabled domains symlinks if present.
# Return 1 if nothing was removed and 0 otherwise.
if [[ ${#DISABLED_DOMAINS[@]} -gt 0 ]]; then
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Some domains are disabled :"
2018-01-05 18:25:19 +01:00
for disabled_domain in "${DISABLED_DOMAINS[@]}"; do
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Checking domain ${disabled_domain}"
cert_folder="$(readlink -f "/etc/nginx/certs/${disabled_domain}.crt")"
2018-11-23 02:40:36 +01:00
# If the dotfile is absent, skip domain.
if [[ ! -e "${cert_folder%/*}/.companion" ]]; then
2021-04-04 22:58:22 +02:00
[[ "$DEBUG" == 1 ]] && echo "No .companion file found in ${cert_folder}. ${disabled_domain} is not managed by acme-companion. Skipping domain."
2018-11-23 02:40:36 +01:00
continue
else
2021-04-04 22:58:22 +02:00
[[ "$DEBUG" == 1 ]] && echo "${disabled_domain} is managed by acme-companion. Removing unused symlinks."
2018-05-26 17:18:59 +02:00
fi
2018-01-05 18:25:19 +01:00
for extension in .crt .key .dhparam.pem .chain.pem; do
file="${disabled_domain}${extension}"
2018-03-19 19:37:02 +01:00
if [[ -n "${file// }" ]] && [[ -L "/etc/nginx/certs/${file}" ]]; then
2018-12-31 12:53:21 +01:00
[[ "$DEBUG" == 1 ]] && echo "Removing /etc/nginx/certs/${file}"
2018-01-05 18:25:19 +01:00
rm -f "/etc/nginx/certs/${file}"
fi
done
done
return 0
else
return 1
fi
}
2020-10-12 15:43:39 +02:00
function update_cert {
local cid="${1:?}"
2020-12-07 00:56:09 +01:00
local -n hosts_array="LETSENCRYPT_${cid}_HOST"
2020-10-12 15:43:39 +02:00
# First domain will be our base domain
2020-12-07 00:56:09 +01:00
local base_domain="${hosts_array[0]}"
2020-10-12 15:43:39 +02:00
local should_restart_container='false'
2020-10-20 09:55:26 +02:00
# Base CLI parameters array, used for both --register-account and --issue
local -a params_base_arr
params_base_arr+=(--log /dev/null)
2020-10-21 01:30:48 +02:00
[[ "$DEBUG" == 1 ]] && params_base_arr+=(--debug 2)
2020-10-20 09:55:26 +02:00
2020-03-22 10:25:42 +01:00
# Alternative trusted root CA path, used for test with Pebble
if [[ -n "${CA_BUNDLE// }" ]]; then
if [[ -f "$CA_BUNDLE" ]]; then
params_base_arr+=(--ca-bundle "$CA_BUNDLE")
[[ "$DEBUG" == 1 ]] && echo "Debug: acme.sh will use $CA_BUNDLE as trusted root CA."
else
echo "Warning: the path to the alternate CA bundle ($CA_BUNDLE) is not valid, using default Alpine trust store."
fi
fi
2020-10-20 16:09:19 +02:00
# CLI parameters array used for --register-account
local -a params_register_arr
2020-10-20 09:55:26 +02:00
# CLI parameters array used for --issue
local -a params_issue_arr
params_issue_arr+=(--webroot /usr/share/nginx/html)
2020-10-12 15:43:39 +02:00
2020-12-07 00:56:09 +01:00
local -n cert_keysize="LETSENCRYPT_${cid}_KEYSIZE"
if [[ -z "$cert_keysize" || "$cert_keysize" == "<no value>" ]] || \
2020-12-07 21:10:14 +01:00
[[ ! "$cert_keysize" =~ ^(2048|3072|4096|ec-256|ec-384)$ ]]; then
2020-10-12 15:43:39 +02:00
cert_keysize=$DEFAULT_KEY_SIZE
fi
2020-10-20 09:55:26 +02:00
params_issue_arr+=(--keylength "$cert_keysize")
2020-10-12 15:43:39 +02:00
2020-12-25 18:23:33 +01:00
# OCSP-Must-Staple extension
local -n ocsp="ACME_${cid}_OCSP"
if [[ $(lc "$ocsp") == true ]]; then
params_issue_arr+=(--ocsp-must-staple)
fi
2020-12-07 00:56:09 +01:00
local -n accountemail="LETSENCRYPT_${cid}_EMAIL"
2020-10-13 01:09:22 +02:00
local config_home
# If we don't have a LETSENCRYPT_EMAIL from the proxied container
# and DEFAULT_EMAIL is set to a non empty value, use the latter.
2020-12-07 00:56:09 +01:00
if [[ -z "$accountemail" || "$accountemail" == "<no value>" ]]; then
2020-10-13 01:09:22 +02:00
if [[ -n "${DEFAULT_EMAIL// }" ]]; then
accountemail="$DEFAULT_EMAIL"
else
unset accountemail
fi
fi
if [[ -n "${accountemail// }" ]]; then
# If we got an email, use it with the corresponding config home
config_home="/etc/acme.sh/$accountemail"
2020-10-12 18:59:59 +02:00
else
2020-10-13 01:09:22 +02:00
# If we did not get any email at all, use the default (empty mail) config
config_home="/etc/acme.sh/default"
fi
2020-10-12 18:59:59 +02:00
2020-12-07 00:56:09 +01:00
local -n acme_ca_uri="ACME_${cid}_CA_URI"
if [[ -z "$acme_ca_uri" || "$acme_ca_uri" == "<no value>" ]]; then
2020-10-13 21:21:37 +02:00
# Use default or user provided ACME end point
acme_ca_uri="$ACME_CA_URI"
fi
# LETSENCRYPT_TEST overrides LETSENCRYPT_ACME_CA_URI
2020-12-07 00:56:09 +01:00
local -n test_certificate="LETSENCRYPT_${cid}_TEST"
if [[ $(lc "$test_certificate") == true ]]; then
2020-10-13 21:21:37 +02:00
# Use Let's Encrypt ACME V2 staging end point
2020-10-12 15:43:39 +02:00
acme_ca_uri="$ACME_CA_TEST_URI"
2020-10-13 21:21:37 +02:00
fi
2020-10-21 01:26:08 +02:00
# Set relevant --server parameter and ca folder name
2020-10-20 09:55:26 +02:00
params_base_arr+=(--server "$acme_ca_uri")
2020-10-21 01:26:08 +02:00
local ca_dir="${acme_ca_uri##*://}" \
&& ca_dir="${ca_dir%%/*}" \
&& ca_dir="${ca_dir%%:*}"
2020-10-13 21:21:37 +02:00
local certificate_dir
# If we're going to use one of LE stating endpoints ...
if [[ "$acme_ca_uri" =~ ^https://acme-staging.* ]]; then
# Unset accountemail
# force config dir to 'staging'
unset accountemail
config_home="/etc/acme.sh/staging"
2020-10-12 15:43:39 +02:00
# Prefix test certificate directory with _test_
certificate_dir="/etc/nginx/certs/_test_$base_domain"
else
certificate_dir="/etc/nginx/certs/$base_domain"
fi
2020-10-20 09:55:26 +02:00
params_issue_arr+=( \
--cert-file "${certificate_dir}/cert.pem" \
--key-file "${certificate_dir}/key.pem" \
--ca-file "${certificate_dir}/chain.pem" \
--fullchain-file "${certificate_dir}/fullchain.pem" \
)
2020-10-12 15:43:39 +02:00
2020-10-13 21:21:37 +02:00
[[ ! -d "$config_home" ]] && mkdir -p "$config_home"
2020-10-20 09:55:26 +02:00
params_base_arr+=(--config-home "$config_home")
2020-10-21 01:26:08 +02:00
local account_file="${config_home}/ca/${ca_dir}/account.json"
2020-10-13 21:21:37 +02:00
2020-10-20 16:09:19 +02:00
# Zero SSL External Account Binding (EAB)
if [[ "$acme_ca_uri" == "https://acme.zerossl.com/v2/DV90" ]]; then
2020-12-07 00:56:09 +01:00
local -n eab_kid="ACME_${cid}_EAB_KID"
local -n eab_hmac_key="ACME_${cid}_EAB_HMAC_KEY"
local -n zerossl_api_key="ZEROSSL_${cid}_API_KEY"
2020-12-07 21:57:50 +01:00
if [[ -z "$zerossl_api_key" || "$zerossl_api_key" == "<no value>" ]]; then
# Try using the default API key
zerossl_api_key="$ZEROSSL_API_KEY"
fi
2020-11-06 11:01:09 +01:00
if [[ ! -f "$account_file" ]]; then
2020-12-07 00:56:09 +01:00
if [[ -n "${eab_kid// }" && "$eab_kid" != "<no value>" && -n "${eab_hmac_key// }" && "$eab_hmac_key" != "<no value>" ]]; then
2020-11-06 11:01:09 +01:00
# Register the ACME account with the per container EAB credentials.
params_register_arr+=(--eab-kid "$eab_kid" --eab-hmac-key "$eab_hmac_key")
2020-12-07 00:56:09 +01:00
elif [[ -n "${zerossl_api_key// }" && "$zerossl_api_key" != "<no value>" ]]; then
2020-11-06 11:01:09 +01:00
# We have a Zero SSL API key but no per-container EAB kid and hmac key.
# Generate a set of ACME EAB credentials using the ZeroSSL API.
local zerossl_api_response
if zerossl_api_response="$(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=${zerossl_api_key}")"; then
if [[ "$(jq -r .success <<< "$zerossl_api_response")" == 'true' ]]; then
eab_kid="$(jq -r .eab_kid <<< "$zerossl_api_response")"
eab_hmac_key="$(jq -r .eab_hmac_key <<< "$zerossl_api_response")"
params_register_arr+=(--eab-kid "$eab_kid" --eab-hmac-key "$eab_hmac_key")
[[ "$DEBUG" == 1 ]] && echo "Successfull EAB credentials request against the ZeroSSL API, got the following EAB kid : ${eab_kid}"
else
# The JSON response body indicated an unsuccesfull API call.
echo "Warning: the EAB credentials request against the ZeroSSL API was not successfull."
fi
else
# curl failed.
echo "Warning: curl failed to make an HTTP POST request to https://api.zerossl.com/acme/eab-credentials."
fi
elif [[ -n "${ACME_EAB_KID// }" && -n "${ACME_EAB_HMAC_KEY// }" ]]; then
# We don't have per-container EAB kid and hmac key or Zero SSL API key.
# Register the ACME account with the default EAB credentials.
params_register_arr+=(--eab-kid "$ACME_EAB_KID" --eab-hmac-key "$ACME_EAB_HMAC_KEY")
elif [[ -n "${accountemail// }" ]]; then
# We don't have per container nor default EAB credentials, register a new account with ZeroSSL.
params_register_arr+=(--accountemail "$accountemail")
else
# We don't have a Zero SSL ACME account, EAB credentials, a ZeroSSL API key or an account email :
# skip certificate account registration and certificate issuance.
echo "Error: usage of ZeroSSL require an email bound account. No EAB credentials, ZeroSSL API key or email were provided for this certificate, creation aborted."
return 1
fi
2020-10-20 16:09:19 +02:00
fi
elif [[ -n "${accountemail// }" ]]; then
# We're not using Zero SSL, register the ACME account using the provided email.
params_register_arr+=(--accountemail "$accountemail")
fi
2020-10-21 01:26:08 +02:00
# Account registration and update if required
if [[ ! -f "$account_file" ]]; then
params_register_arr=("${params_base_arr[@]}" "${params_register_arr[@]}")
[[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --register-account with the following parameters : ${params_register_arr[*]}"
acme.sh --register-account "${params_register_arr[@]}"
fi
if [[ -n "${accountemail// }" ]] && ! grep -q "mailto:$accountemail" "$account_file"; then
local -a params_update_arr=("${params_base_arr[@]}" --accountemail "$accountemail")
[[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --update-account with the following parameters : ${params_update_arr[*]}"
acme.sh --update-account "${params_update_arr[@]}"
fi
# If we still don't have an account.json file by this point, we've got an issue
if [[ ! -f "$account_file" ]]; then
echo "Error: no ACME account was found or registered for $accountemail and $acme_ca_uri, certificate creation aborted."
return 1
fi
2020-10-20 09:27:21 +02:00
2020-12-07 00:56:09 +01:00
local -n acme_preferred_chain="ACME_${cid}_PREFERRED_CHAIN"
if [[ -n "${acme_preferred_chain// }" && "$acme_preferred_chain" != "<no value>" ]]; then
2020-11-08 21:51:26 +01:00
# Using amce.sh --preferred-chain to select alternate chain.
params_issue_arr+=(--preferred-chain "$acme_preferred_chain")
fi
2020-12-07 21:10:14 +01:00
if [[ "$RENEW_PRIVATE_KEYS" != 'false' && "$REUSE_PRIVATE_KEYS" != 'true' ]]; then
params_issue_arr+=(--always-force-new-domain-key)
fi
2020-10-20 09:55:26 +02:00
[[ "${2:-}" == "--force-renew" ]] && params_issue_arr+=(--force)
2020-10-12 15:43:39 +02:00
# Create directory for the first domain
mkdir -p "$certificate_dir"
set_ownership_and_permissions "$certificate_dir"
2020-12-07 00:56:09 +01:00
for domain in "${hosts_array[@]}"; do
2020-10-12 15:43:39 +02:00
# Add all the domains to certificate
2020-10-20 09:55:26 +02:00
params_issue_arr+=(--domain "$domain")
2020-10-12 15:43:39 +02:00
# Add location configuration for the domain
add_location_configuration "$domain" || reload_nginx
done
2020-10-20 09:55:26 +02:00
params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}")
[[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --issue with the following parameters : ${params_issue_arr[*]}"
2020-12-07 00:56:09 +01:00
echo "Creating/renewal $base_domain certificates... (${hosts_array[*]})"
2020-10-20 09:55:26 +02:00
acme.sh --issue "${params_issue_arr[@]}"
2020-10-12 15:43:39 +02:00
local acmesh_return=$?
# 0 = success, 2 = RENEW_SKIP
if [[ $acmesh_return == 0 || $acmesh_return == 2 ]]; then
2020-12-07 00:56:09 +01:00
for domain in "${hosts_array[@]}"; do
2020-10-13 21:05:54 +02:00
if [[ $acme_ca_uri =~ ^https://acme-staging.* ]]; then
create_links "_test_$base_domain" "$domain" \
&& should_reload_nginx='true' \
&& should_restart_container='true'
else
create_links "$base_domain" "$domain" \
&& should_reload_nginx='true' \
&& should_restart_container='true'
fi
2020-10-12 15:43:39 +02:00
done
2020-10-20 14:36:10 +02:00
echo "${COMPANION_VERSION:-}" > "${certificate_dir}/.companion"
2020-10-12 15:43:39 +02:00
set_ownership_and_permissions "${certificate_dir}/.companion"
# Make private key root readable only
for file in cert.pem key.pem chain.pem fullchain.pem; do
2020-10-13 21:05:54 +02:00
local file_path="${certificate_dir}/${file}"
[[ -e "$file_path" ]] && set_ownership_and_permissions "$file_path"
2020-10-12 15:43:39 +02:00
done
# Queue nginx reload if a certificate was issued or renewed
2020-10-13 21:05:54 +02:00
[[ $acmesh_return -eq 0 ]] \
&& should_reload_nginx='true' \
&& should_restart_container='true'
2020-10-12 15:43:39 +02:00
fi
# Restart container if certs are updated and the respective environmental variable is set
2020-12-07 00:56:09 +01:00
local -n restart_container="LETSENCRYPT_${cid}_RESTART_CONTAINER"
if [[ $(lc "$restart_container") == true ]] && [[ "$should_restart_container" == 'true' ]]; then
2020-10-12 15:43:39 +02:00
echo "Restarting container (${cid})..."
docker_restart "${cid}"
fi
2020-12-07 00:56:09 +01:00
for domain in "${hosts_array[@]}"; do
2020-10-12 15:43:39 +02:00
if [[ -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" ]]; then
[[ "$DEBUG" == 1 ]] && echo "Debug: removing standalone configuration file /etc/nginx/conf.d/standalone-cert-$domain.conf"
rm -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" && should_reload_nginx='true'
fi
done
}
2018-02-08 23:57:50 +01:00
function update_certs {
2018-06-25 11:16:53 +02:00
local -a LETSENCRYPT_CONTAINERS
local -a LETSENCRYPT_STANDALONE_CERTS
2018-02-01 12:23:54 +01:00
2018-12-31 12:53:21 +01:00
pushd /etc/nginx/certs > /dev/null || return
2018-02-09 00:27:14 +01:00
check_nginx_proxy_container_run || return
2018-02-01 12:23:54 +01:00
2015-12-31 18:50:25 +01:00
# Load relevant container settings
2018-06-25 11:16:53 +02:00
if [[ -f /app/letsencrypt_service_data ]]; then
source /app/letsencrypt_service_data
else
echo "Warning: /app/letsencrypt_service_data not found, skipping data from containers."
fi
# Load settings for standalone certs
if [[ -f /app/letsencrypt_user_data ]]; then
if source /app/letsencrypt_user_data; then
for cid in "${LETSENCRYPT_STANDALONE_CERTS[@]}"; do
2020-12-07 00:56:09 +01:00
local -n hosts_array="LETSENCRYPT_${cid}_HOST"
for domain in "${hosts_array[@]}"; do
2018-06-25 11:16:53 +02:00
add_standalone_configuration "$domain"
done
done
reload_nginx
LETSENCRYPT_CONTAINERS+=( "${LETSENCRYPT_STANDALONE_CERTS[@]}" )
else
echo "Warning: could not source /app/letsencrypt_user_data, skipping user data"
fi
fi
2018-12-21 18:19:05 +01:00
2018-01-06 17:36:37 +01:00
should_reload_nginx='false'
2015-12-31 18:50:25 +01:00
for cid in "${LETSENCRYPT_CONTAINERS[@]}"; do
2020-10-12 15:43:39 +02:00
# Pass the eventual --force-renew arg to update_cert() as second arg
update_cert "$cid" "${1:-}"
2015-12-31 18:50:25 +01:00
done
2016-03-27 16:44:02 +02:00
2018-01-05 18:25:19 +01:00
cleanup_links && should_reload_nginx='true'
2018-01-06 17:36:37 +01:00
[[ "$should_reload_nginx" == 'true' ]] && reload_nginx
2018-12-31 12:53:21 +01:00
popd > /dev/null || return
2015-12-31 18:50:25 +01:00
}
2017-08-12 11:10:06 +02:00
# Allow the script functions to be sourced without starting the Service Loop.
if [ "${1}" == "--source-only" ]; then
return 0
fi
2015-12-31 18:50:25 +01:00
pid=
2016-06-26 00:25:24 +02:00
# Service Loop: When this script exits, start it again.
2015-12-31 18:50:25 +01:00
trap '[[ $pid ]] && kill $pid; exec $0' EXIT
trap 'trap - EXIT' INT TERM
2020-03-23 08:20:46 +01:00
update_certs "$@"
2015-12-31 18:50:25 +01:00
# Wait some amount of time
2020-12-29 14:09:03 +01:00
echo "Sleep for ${CERTS_UPDATE_INTERVAL}s"
sleep $CERTS_UPDATE_INTERVAL & pid=$!
2015-12-31 18:50:25 +01:00
wait
pid=
